CVE-2020-36426 – This vulnerability in Arm Mbed TLS allows attac... (How to Fix)

Q: What is the severity of CVE-2020-36426?

CVE-2020-36426 has a CVSS score of 7.5 (HIGH). This vulnerability in Arm Mbed TLS allows attackers to read one byte beyond the allocated buffer when parsing Certificate Revocation Lists (CRLs) in DER format. This could potentially leak sensitive memory contents or cause application crashes. Any system using affected Mbed TLS versions for TLS/SSL operations is vulnerable.

📋 TL;DR

This vulnerability in Arm Mbed TLS allows attackers to read one byte beyond the allocated buffer when parsing Certificate Revocation Lists (CRLs) in DER format. This could potentially leak sensitive memory contents or cause application crashes. Any system using affected Mbed TLS versions for TLS/SSL operations is vulnerable.

💻 Affected Systems

Products:

Arm Mbed TLS
Products embedding Mbed TLS library

Versions: All versions before 2.24.0

Operating Systems: All operating systems using affected Mbed TLS versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when parsing CRLs in DER format; systems not using CRL verification may not be affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, potential remote code execution through memory corruption, or denial of service causing application crashes.

🟠

Likely Case

Application crash or denial of service due to invalid memory access, potentially leaking limited memory contents.

🟢

If Mitigated

Minimal impact with proper memory protections (ASLR, DEP) and crash handling; potential information disclosure limited to one byte.

🌐 Internet-Facing: MEDIUM - TLS libraries are commonly exposed to untrusted input from network connections, but exploitation requires specific conditions.

🏢 Internal Only: LOW - Internal systems typically process trusted CRLs, reducing attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires attacker to supply a malicious CRL; buffer over-read of only one byte limits exploitation options.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.24.0 or later (also fixed in 2.16.8 and 2.7.17)

Vendor Advisory: https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0

Restart Required: Yes

Instructions:

1. Identify Mbed TLS version in use. 2. Upgrade to version 2.24.0 or later. 3. Recompile applications using the library. 4. Restart affected services.

🔧 Temporary Workarounds

Disable CRL verification

all

Temporarily disable Certificate Revocation List verification if not required

# Configure application to not use CRL verification

Use PEM format CRLs

linux

Convert CRLs to PEM format instead of DER format

openssl crl -inform DER -in crl.der -outform PEM -out crl.pem

🧯 If You Can't Patch

Implement network segmentation to limit exposure to CRL parsing
Deploy memory protection mechanisms (ASLR, DEP) to reduce exploitation risk

🔍 How to Verify

Check if Vulnerable:

Check Mbed TLS version with: ldd on binaries or check library version in application

Check Version:

strings /path/to/libmbedtls.so | grep 'mbed TLS' || mbedtls_version

Verify Fix Applied:

Verify Mbed TLS version is 2.24.0 or later, or patched versions 2.16.8/2.7.17

📡 Detection & Monitoring

Log Indicators:

Application crashes related to mbedtls_x509_crl_parse
Memory access violation errors
Unexpected termination of TLS services

Network Indicators:

Unusual CRL requests or malformed CRL data in TLS handshakes

SIEM Query:

source="application.logs" AND ("mbedtls" OR "TLS error") AND ("crash" OR "segfault" OR "memory violation")

📊 Metadata

CVE ID: CVE-2020-36426

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: July 19, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.gentoo.org/740108 Issue Tracking,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Release Notes,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 Release Notes,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html Mailing List,Third Party Advisory
https://bugs.gentoo.org/740108 Issue Tracking,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Release Notes,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 Release Notes,Third Party Advisory
https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36426, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Mbed Tls by Arm

Mbed Tls by Arm

Mbed Tls by Arm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable CRL verification

Use PEM format CRLs

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities